Research Policies

Last updated: 2026-05-01
Maintainer: James Eiten
Primary contact: [email protected]
AI-safety-specific: [email protected]
Per-platform aliases: bounty-anthropic@, bounty-openai@, bounty-google@, [email protected]
Encrypted: PGP public key

These policies govern all security and AI-safety research conducted under the Vulpes Watch banner, including by the Skulk research team. Vendors enrolled in any bounty or coordinated-disclosure program with Vulpes Watch can rely on this page as the authoritative statement of researcher conduct.

1. Coordinated disclosure

Default embargo: 90 days from the date of triage acknowledgement by the vendor.
Extension: We extend embargo on written request when the vendor is communicating in good faith and a fix is in progress. There is no fixed cap; “we are still working on it” is acceptable as long as we hear it.
Acceleration: We may shorten embargo only when there is documented evidence of active in-the-wild exploitation, and only after written notice to the vendor.
Public release: After embargo, we publish only after the vendor has had at least seven days to review the planned write-up and request specific redactions. Reasonable redaction requests are honored.
Silent fixes: We do not assume silent fixes resolve embargo. The clock runs from triage acknowledgement, not from when we notice a patch.

2. Scope and target boundaries

We probe only:

Our own API keys, tenants, accounts, and subscriptions.
Public surfaces explicitly listed as in-scope by a vendor’s published bounty program.
Test fixtures and sandbox environments the vendor has designated for research.

We do not probe:

Real-user accounts, data, or sessions other than our own.
Production infrastructure, shared queues, or rate-limited resources in ways that affect other users.
Third-party services that integrate with the target unless that integration is explicitly in scope.

3. Data handling

No exfiltration: If a probe reveals access to data that is not ours, we stop, do not retrieve more, and report the boundary issue.
Local logging only: Probe transcripts, model responses, and reproduction artifacts are stored on private infrastructure under our control. They are not shared publicly, posted to social media, or uploaded to third-party hosting.
Retention: Findings and supporting transcripts are retained for the duration of the embargo plus one year, then deleted unless the vendor requests longer retention for ongoing investigation.
PII: If a probe inadvertently surfaces personally identifiable information about real users, that PII is reported to the vendor immediately and deleted from our records within 24 hours of confirmed receipt.

4. Conduct boundaries

We will not:

Socially engineer vendor staff, contractors, customers, or end users.
Phish, pretext, or impersonate.
Conduct denial-of-service or availability-impacting tests.
Make payments, place orders, or trigger billable actions against vendors except as required by normal API usage of our own keys.
Threaten public disclosure as leverage for higher payouts.
Trade findings on private markets, sell them to brokers, or share them with third parties before coordinated disclosure resolves.

5. Identity and accountability

Legal name: All bounty payouts and tax forms are under the legal name James Eiten.
Public handle: Vulpes Watch and Skulk are research-program brand names operated by James Eiten as an individual. They are not legal entities and do not represent any employer.
No client work: Findings under Vulpes Watch are independent research. We do not perform contracted security work or accept undisclosed payment to suppress findings.

6. Safe harbor expectations

We assume vendors with published bounty programs offer the standard safe harbor terms (good-faith research without legal action, anti-circumvention exemption, proportional scope). If a vendor’s published terms are silent on any of these, we ask in writing before submitting; we do not assume.

If a vendor demands embargo extensions, redactions, or behavioral changes that go beyond their published policy, we negotiate in writing and are willing to walk away from a payout to preserve disclosure timelines we believe are justified by user safety.

7. AI-specific commitments

For AI-safety research specifically:

Constitutional / classifier probes: We test classifier robustness against the published policy taxonomy. We do not generate or retain content that is harmful to real victims (e.g., we do not actually produce CSAM, working malware, weapons synthesis details, or non-consensual intimate imagery). Probes are constructed to demonstrate boundary placement, not to produce usable harmful artifacts.
Indirect prompt injection: When probing tool-use or agentic surfaces, the injected payloads are inert markers, not real exploit payloads. We demonstrate the path, not the harm.
Cross-model testing: When a finding affects multiple vendors (e.g., a prompt-injection class that breaks Claude, GPT, and Gemini), we report to all affected vendors simultaneously with synchronized embargo dates.
Model output retention: Generated harmful content is logged only to the minimum necessary to demonstrate the finding, encrypted at rest, and deleted at the end of the retention window.

8. Communication

Primary contact: [email protected] (or [email protected] for AI-safety-specific work). Per-platform aliases (bounty-<vendor>@vulpeswatch.com) forward to the same inbox.
Encrypted channel: PGP key linked above. Signal available on request through the published email.
Response time: We aim to acknowledge vendor messages within two business days and substantive technical responses within five.

9. Updates to this policy

This page is versioned. Material changes are dated at the top and announced in the next bounty submission. Vendors with active engagements are notified of relevant policy changes by email.